[Openid-specs-ab] Certification of your relying party software

[Mike Schwartz]

Just my $.02. I know I said this before...

We want client developers to certify their code! I think RP testing 
should be permanently free. The few bucks it's going to bring in are not 
material compared with the benefit to the community of better libraries 
and deployments.

What we're seeing at Gluu is that there is a lot of crappy client code. 
Also, we're seeing that a lot of developers are using OAuth2 libraries, 
and not taking advantage of the security features of OpenID Connect.

It seems the end-users of RP client code don't care that much if it's 
certified. They want ease of use. They want it to solve a problem.

It's a weird dichotomy. We get raked over the coals by enterprise 
security departments on the Gluu Server OP. And then the client 
developers are using implicit flow and not even checking checking the 
state or id_token!

Any fee will put a barrier to testing. We should give client developers 
who self-certify a medal--not charge them!

- Mike